Open in app

Sign in

Write

Sign in

PASSWORD CRACKING WITH HYDRA — PART 2

Laksha
CYSCOM VITCC
Published in
4 min readJun 14, 2021

Hey readers!

This is the Part 2 blog of The Password Cracking with Hydra blog series. In my previous blog, we have touched upon what are passwords, how password authentication works, and the types of password cracking techniques (Readout my Part 1 blog here). With these, we can now understand where HYDRA comes into the picture of password cracking.

Commands:

Let’s dive right into the command syntax by using basic and yet important flags needed to get through. If you wanna know about all the flags in hydra, type man hydra (Checking out the output of man command is the best way to learn about a tool), and its output is given below and the general syntax is highlighted.

The syntax of the command depends mainly on 2 things:

  • The type of attack that you are carrying out
  • The network protocol that you are attacking

TYPE OF ATTACK:

DICTIONARY ATTACK:

  • l : enables a single username
  • -L : enables Username-list
  • -p : enables a single password
  • -P : enables Password-list

Hydra is so flexible that it can be used to crack login credentials in all possible ways. Try framing the command

  • A username & a password:
hydra -l <username> -p <password> <Machine-IP> <network>
  • Username-list & a password (guessing a username for a given password)
hydra -L <username-list> -p <password> <Machine-IP> <network>
  • A username & Password list (guessing a password for a given username)
hydra -l <username> -P <password-list> <Machine-IP> <network>
  • Username-list & Password list (Cracking Login Credential)
hydra -L <username-list> -P <password-list> <Machine-IP> <network>

You can custom create your own username-list and password list, but there are also common wordlists (like rockyou.txt) readily available in GitHub and other platforms.

BRUTEFORCE ATTACK:

-x : enables password generation option (Type hydra -x -help to get help window)

Syntax: -x MIN:MAX:CHARSET

MIN : specifies the minimum number of characters in the password

MAX : specifies the maximum number of characters in the password

CHARSET : specifies a specification of the characters to use in the generation valid CHARSET values:

  • ‘a’ for lowercase letter
  • ‘A’ for uppercase letters
  • ‘1’ for numbers
  • real representation for all others

-y : To generate password only using the specified character

Say, the username is admin and password is 19vdj/^ for a FTP service, then for guessing this password, the command would be

hydra -l admin -x 6:8:1a!@?^*% <Machine-IP> ftp

PASSWORD SPRAYING:

-u : Tries a password for every user (instead of trying all passwords on a single user before trying on the next user). A typical spraying attack command just adds “-u” flag at the end of a dictionary attack command.

hydra -L <username-list> -P <password-list> <Machine-IP> ftp -u

Additional flags:

  • Use of Verbose or Debug Mode for Examining Brute Force

-V : shows all attempts for matching valid combination of username and password.

-d : enables debug and verbose mode together; shows complete detail

  • NULL/Same as Login/Reverse login Attempt

-e nsr : Tries password null (“”), same as login and reverse of login as passwords

  • Attacking on Specific Port

-s : specifies the port to attack

Say, if FTP service is found running on port 2121 instead of 21, then the command will be

hydra -L <username-list> -P <password-list> <Machine-IP> ftp -s 2121
  • Restoring Attack:

-R : resumes / restores a previous attack

  • Saving Output:

-o : saves output to a file-name mentioned after it

hydra -L <username-list> -P <password-list> <Machine_IP> <Network> -o <file-name>

NETWORK PROTOCOL:

Let’s learn the syntax and flags by analyzing example commands.

FTP:

hydra -l norman -x 1:3:aA1 192.168.1.10 ftp -y

Brute-forces FTP service running under the username “norman” with passwords having 1 to 3 character length with ‘a’, ‘A’, and 1 only.

SSH:

hydra -l root -P /usr/share/john/password.txt 157.240.25.35 -t 4 ssh

Carries out dictionary attack on the “root” user using the password.txt dictionary on the target with IP 157.240.25.35 that runs SSH service.

  • t : specifies the number of tasks to run simultaneously (The ideal value is 4).

WEB:

GET FORM:

hydra -f 127.0.0.1 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form “/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie:PHPSESSID=3jr86cmf45oen0ggigm630fstu; security=low”

/vulnerabilities/brute/index.php — URL of the authentication page username, password, Login — get form parameters
^USER^, ^PASS^ — shows where the username and password from the dictionary should be filled respectively;

POST FORM:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-post-form “/login:username=^USER^&password=^PASS^:F=Your username or password is incorrect.” -V

/login — URL of the authentication page;

Now that we have grasped the knowledge of working of many flags, it’s time for you guys to practice it. Go on and try the “Hydra” room of Tryhackme and also practice brute-forcing in DVWA.

Happy Hacking!

Connect with me on LinkedIn!

Passwords
Brute Force
Hydra
Password Cracking
Hacking

--

--

Laksha
CYSCOM VITCC

Written by Laksha

10 Followers
Editor for

Grow yourself every day!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams